-
Notifications
You must be signed in to change notification settings - Fork 3
135 lines (116 loc) · 5.79 KB
/
deploy-production-container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: "Terragrunt deploy PRODUCTION container"
on:
push:
branches:
- main
paths:
- "infrastructure/environments.yml"
pull_request:
branches:
- main
paths:
- "infrastructure/environments.yml"
env:
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.27.0
TERRAFORM_VERSION: 1.9.2
TERRAGRUNT_VERSION: 0.57.5
TF_INPUT: false
TF_VAR_database_name: ${{ secrets.PRODUCTION_DATABASE_NAME }}
TF_VAR_database_username: ${{ secrets.PRODUCTION_DATABASE_USERNAME }}
TF_VAR_database_password: ${{ secrets.PRODUCTION_DATABASE_PASSWORD }}
TF_VAR_cloudfront_custom_header_name: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_NAME }}
TF_VAR_cloudfront_custom_header_value: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_VALUE }}
TF_VAR_list_manager_endpoint: ${{ secrets.PRODUCTION_LIST_MANAGER_ENDPOINT }}
TF_VAR_default_list_manager_api_key: ${{ secrets.PRODUCTION_DEFAULT_LIST_MANAGER_API_KEY }}
TF_VAR_default_notify_api_key: ${{ secrets.PRODUCTION_DEFAULT_NOTIFY_API_KEY }}
TF_VAR_encryption_key: ${{ secrets.PRODUCTION_ENCRYPTION_KEY }}
TF_VAR_s3_uploads_bucket: ${{ secrets.PRODUCTION_S3_UPLOADS_BUCKET }}
TF_VAR_s3_uploads_key: ${{ secrets.PRODUCTION_S3_UPLOADS_KEY }}
TF_VAR_s3_uploads_secret: ${{ secrets.PRODUCTION_S3_UPLOADS_SECRET }}
TF_VAR_c3_aws_access_key_id: ${{ secrets.PRODUCTION_C3_AWS_ACCESS_KEY_ID }}
TF_VAR_c3_aws_secret_access_key: ${{ secrets.PRODUCTION_C3_AWS_SECRET_ACCESS_KEY }}
TF_VAR_sentinel_customer_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
TF_VAR_sentinel_shared_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
TF_VAR_slack_webhook_url: ${{ secrets.PRODUCTION_SLACK_WEBHOOK_URL }}
TF_VAR_wordpress_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_KEY }}
TF_VAR_wordpress_secure_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_KEY }}
TF_VAR_wordpress_logged_in_key: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_KEY }}
TF_VAR_wordpress_nonce_key: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_KEY }}
TF_VAR_wordpress_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_SALT }}
TF_VAR_wordpress_secure_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_SALT }}
TF_VAR_wordpress_logged_in_salt: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_SALT }}
TF_VAR_wordpress_nonce_salt: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_SALT }}
TF_VAR_jwt_auth_secret_key: ${{ secrets.PRODUCTION_JWT_AUTH_SECRET_KEY }}
TF_VAR_wpml_site_key: ${{ secrets.PRODUCTION_WPML_SITE_KEY }}
TF_VAR_zendesk_api_url: ${{ secrets.ZENDESK_API_URL }}
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
environments-manifest:
uses: cds-snc/gc-articles/.github/workflows/environments-manifest.yml@main
terragrunt-plan-production:
needs: environments-manifest
runs-on: ubuntu-latest
if: |
github.ref != 'refs/heads/main' &&
github.event_name == 'pull_request' &&
needs.environments-manifest.outputs.CONTAINER_DEPLOYMENT == 'production'
env:
TARGET_VERSION: ${{ needs.environments-manifest.outputs.PROD_INFRASTRUCTURE }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::472286471787:role/gc-articles-plan
role-session-name: TFPlanECS
aws-region: ${{ env.AWS_REGION }}
# Load-balancer & database dependency
- name: Terragrunt plan ecs
if: ${{ needs.environments-manifest.outputs.CONTAINER_DEPLOYMENT == 'production' }}
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "infrastructure/terragrunt/env/prod/ecs"
comment-delete: "true"
comment-title: "Production: ecs"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terragrunt-apply-production:
needs: environments-manifest
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main' &&
github.event_name == 'push' &&
needs.environments-manifest.outputs.CONTAINER_DEPLOYMENT == 'production'
env:
APACHE_VERSION: ${{ needs.environments-manifest.outputs.PROD_APACHE }}
TARGET_VERSION: ${{ needs.environments-manifest.outputs.PROD_INFRASTRUCTURE }}
WORDPRESS_VERSION: ${{ needs.environments-manifest.outputs.PROD_WORDPRESS }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::472286471787:role/gc-articles-apply
role-session-name: TFApplyECS
aws-region: ${{ env.AWS_REGION }}
- name: Terragrunt apply ecs
working-directory: infrastructure/terragrunt/env/prod/ecs
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Report deployment to Sentinel
if: always()
uses: cds-snc/sentinel-forward-data-action@main
with:
input_data: '{"product": "articles", "sha": "${{ github.sha }}", "version": "Apache ${{ env.APACHE_VERSION }}, Wordpress ${{ env.WORDPRESS_VERSION }}", "repository": "${{ github.repository }}", "environment": "production", "status": "${{ job.status }}"}'
log_type: CDS_Product_Deployment_Data
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}